GandCrab operators come out of retirement with a new stain of 'REvil' ransomware

In their farewell message in June, the group believed to be behind the new ransomware said they wanted to enjoy a "well-deserved retirement"

The criminals behind the GandCrab ransomware, who announced their retirement in June, have relaunched themselves with a new brand of ransomware.

That's according to the researchers at cyber security firm SecureWorks, who arrived at the conclusion after analysing a new strain of ransomware.

In June, the operators of GandCrab ransomware-as-a-service said that they were retiring after having generated more than $2 billion, in total, from ransomware-as-a-service scam.

In their farewell message, the group said they wanted to enjoy a "well-deserved retirement" on their huge earnings and that their activities were proof that "you can do evil and get off scot-free".

GandCrab had been active since January 2018 and had grown to become the most common ransomware strain globally. One of the reasons behind GandCrab's immense growth was its affiliate model, which enabled hackers to get handy kits in exchange for paying 40 per cent of their earnings to the developers.

Researchers at SecureWorks say that the GandCrab group appears to have re-launched itself with a new strain of ransomware called Sondinokibi or REvil, which caused huge disruption in several Texas municipalities recently, and also affected a large number of dental practices in the US.

REvil was first identified by Cisco Talos researchers on 17th April 2019, shortly before GandCrab ended its operation.

According to researchers, the code of REvil is similar to GandCrab's code. The string decoding functions, as well as the URL building functions, used by GandCrab and REvil, are almost identical. Moreover, they also contain similar types of mistakes.

There is also evidence suggesting that REvil was initially written as new version of GandCrab. Many lines in the code of REvil's beta version appear to have references to GandCrab.

Don Smith, director of Secureworks Counter Threat Unit (CTU), believes GandCrab group likely announced their retirement because they were not much comfortable with the "overall attention focused on the GandCrab brand."

Dr Guy Bunker, CTO of Clearswift commented: "Ransomware remains a lucrative business and while it's been headline news for a number of years there are still organisations which have not taken precautions to protect themselves, their people, data and clients from attack, which means there is still opportunity for the likes of GandCrab."

"Furthermore, with the ongoing commercialisation of malware, there are other opportunities for bespoke or customised malware to be developed and sold to the highest bidder. Of course, it's not just the actual malware, there is the other pieces of an attack which need to be orchestrated, such as the spear phishing attack or Business Email Compromise attack with weaponised documents."